By: Bernd P

Bernd P — Tue, 31 May 2016 01:27:21 +0000

For my Opinion something is wrong with the feel for “Maximum Security”.
As far as it is known that TLS 1.0 is at least in danger to be vulnerable if not properly patched/mitigated or in case if weak Suites are in use, it makes no Sense to further allow this potentially insecure Protocol Version.
So, the most modern Protocol we have, IS TLS 1.2 and thus to be the Standard for now. Since PFS can only be properly supported on TLS 1.2, this is the next Target to reach ASAP, means by removing old non-PFS Suites from any possible Server. Immediately. PFS is already supported in all modern Clients. Older ones or old Devices w old OSes are – per Definition – unsafe to use and therefor should no longer be enabled and not allowed to be used.
Servers that cannot be upgraded/patched, are simply and unluckily Subject to be removed and replaced by newer ones. I consider it irresposible to even “tolerate” the use of potentially insecure Configurations, Suites w/o PFS, TLS 1.0, Non-HSTS Policies for another two Years. The harshest Cut is the best Cut. In the Name of Communication Security and Privacy. And also regarding that TLS1.3 is already on the Draft Sheets!. Which is even a far better Concept bc really strict. So, working towards these Edges as soon we can and already now is the best Concept for secure Server Operations already today. Lethargy or “comfortable Slowliness” concerning Security Implementation is no Concept. Every additional TLS1.0 Day is a bad Day. Potentially a Risk. And this is enough Reason. And IF exploited the one or the other Day, by someone, it becomes a Catastrophy. Tighten your Systems.
“Bullet-Proof” like Ivan Ristic says. Now! And not after another two Years!

Comments on: Latest PCI guidelines cause headaches all around

By: Bernd P